top of page

Could an email be a threat to your healthcare business?

Among businesses, healthcare is one of the sectors most likely to hold personal data. 81% of businesses stating they do, according to the Cyber Security Breaches Survey 2022, which makes them a target for cyber criminals.

And the most common attack is phishing.

There is another couple of statistics from the survey which raises the concern that healthcare companies may be at risk. Only 17% of business have had training or awareness raising sessions on cyber security in the last 12 months and only 19% of businesses have tested their staff with something like mock phishing exercises.

But your staff could be the biggest liability or strength when it comes to identifying phishing, so not showing them the range of malicious communications that cyber criminals are using or not reviewing if your current security awareness training is working, seems to be a serious oversight.

So, we need to train our staff. Anything else?

Your staff are likely to be the contact point where an attack will either succeed or fail, so training them to recognise and report phishing is essential. But there are some technical controls that the National Cyber Security Centre recommend by putting in place a layered approached to phishing.

  • Make it harder for attacks to get to employees

  • Employ anti-spoofing (DMARK, SPF, DKIM) – you can check how if your settings are correct at the NCSC’s Email Security Check.

  • Understand what information is published that could be used to create targeted attacks. You might want to have a look at what a corporate internet investigation might highlight and to check what information in data breaches is already released about you and your employees.

  • Filter or block incoming phishing emails using your email provider or specific service.

  • Make employees less likely to fall for the phish and know how to report them

  • Provide regular training and discussions around phishing attacks. Why not share the reported phishes so everyone can see real examples (remove the links/downloads first though)? The ECRC can provide staff awareness training bespoke to your company and practices.

  • Have a clear guide about what staff should do if they receive a phish. This also needs to include a clear reporting mechanism if they fall victim to a phish. Some of the phishing are super realistic so don’t blame your staff for not spotting it when they are busy.

  • Protect your company from undetected attacks

  • Consider technical defences – anti-malware, blocking specific extensions, disabling macros.

  • Use a proxy service to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns.

  • Set up 2FA/MFA wherever possible – this way that even if the password and username are compromised in a phishing attack the attacker still shouldn’t be able to get access to the system as they won’t have the 2nd verification factor - WARNING – attackers are now looking at how to phish the authentication codes as well.

  • Use a password manager or a single sign on method. Due to the autofill component, your employee will get used to not having to fill in their password and may be more likely to question it when they must.

  • Be able to respond quickly to attacks

  • Use a security logging system to pick up on those incidents that your users are not aware of. If you don’t have a logging system in place the NCSC has a free tool which enables companies to set up their own basic capability called Logging Made Easy (LME).

  • Have an incident plan ready and test it. It is almost guaranteed that one day a phishing email will slip in so what will you do about it. If you don’t already know, make sure that you go away and think about it. The ECRC has a free template you can download and use for your organisation if you haven’t got a plan yet and you can test your plan with NCSC’s free Exercise in a box.

Further guidance and support The ECRC is a police-led, not for profit organisation which companies can join for free.

Our core membership provides:

  • Threat alerts both regionally and nationally

  • Signposting to free tools and resources from both Policing and the NCSC

  • Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page